Results 1 to 7 of 7

Thread: weird SPAM problem

Hybrid View

  1. #1
    Join Date
    Apr 2006
    Location
    37203
    Posts
    6
    Rep Power
    9

    Default weird SPAM problem

    Some of my users have been getting 15 - 30 messages a day recently. The problem is that these don't appear as ads like most spam, in fact I am not able to see where these messages are selling or refering to anything.

    Can anything be done to cull these out better? If anything the common factor is that most of them appear to be from outside the US.

    Here is an example:

    "
    Subject:
    headgear
    Date:
    Fri, 21 Jul 2006 10:30:36 +0300
    From:
    Nancy Stephens <hluzrnfuozr@zspruhonice.cz>
    To:
    <xlicense@ourcompany.com>



    restrict maternal: sill of unchanged a park. was decompose, the cold
    morgue crossword, as leave carelessness secure hemorrhage, the
    resourcefulness, the lesson or dainty, to an respectively sweetie
    single-digit?
    suppress, and as assumption as Antarctica black magic rear-end but peg
    harlot ally, lusty, chivalrous, or quilt!!! absorb of tablespoonful a
    conspirator was great-grandfather gobble haphazard greyhound offset
    smoking session seduce famine,. the of annex wrong balance of power
    intricately as jointly to virtue. that
    "

    The messages don't seem to follow any pattern and have no attachments or graphics like most spam/phish/worms. Any ideas or suggestions?

  2. #2
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    What do your Spam Assassin headers look like?
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

  3. #3
    Join Date
    Apr 2006
    Location
    37203
    Posts
    6
    Rep Power
    9

    Default Sample Header

    Here is a sample with header from another message:
    Oh and by the way, I should ammend my prior statement, these apparently are coming in with a single picture attachment.
    Our Kill is set at 35 and Tag at 26. This one wasn't rated high enough to add SPAM to the subject line. I found this one in the users Junk folder. But others are not going to Junk.


    Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.ourcompany.com (Postfix) with ESMTP id E45E598C176;
    Tue, 18 Jul 2006 15:41:58 -0500 (CDT)
    Received: from mail.ourcompany.com ([127.0.0.1])
    by localhost (mail.ourcompany.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 22544-08; Tue, 18 Jul 2006 15:41:58 -0500 (CDT)
    Received: from mk089144252065.a1.net (mk089144212071.a1.net [89.144.212.71])
    by mail.ourcompany.com (Postfix) with SMTP id 32C8898C165
    for <walicensing@ourcompany.com>; Tue, 18 Jul 2006 15:41:55 -0500 (CDT)
    Received: from oyzo.znosjt ([89.144.235.234])
    by mk089144252065.a1.net (8.13.2/8.13.2) with SMTP id k6IKkQje039262;
    Tue, 18 Jul 2006 22:46:26 +0200
    Message-ID: <002201c6aaab$1e60af54$eaeb9059@oyzo.znosjt>
    From: "Patty Whitehead" <wljmot@xeda.com>
    To: <walicensing@ourcompany.com>
    Subject: grieve
    Date: Tue, 18 Jul 2006 22:38:57 +0200
    MIME-Version: 1.0
    Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_001E_01C6AABB.E1E97F04"
    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2800.1409
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1409
    X-DSPAM-Result: Spam
    X-DSPAM-Processed: Tue Jul 18 15:41:58 2006
    X-DSPAM-Confidence: 0.5384
    X-DSPAM-Probability: 1.0000
    X-DSPAM-Signature: 44bd4796317881813820934
    X-DSPAM-Factors: 15,
    X-Virus-Scanned: amavisd-new at
    X-Spam-Status: No, score=4.966 tagged_above=-10 required=5.2 autolearn=no
    tests=[BAYES_95=3, DSPAM_SPAM=0.5, EXTRA_MPART_TYPE=1.091, HTML_30_40=0.374,
    HTML_MESSAGE=0.001]
    X-Spam-Score: 4.966
    X-Spam-Level: ****

    This is a multi-part message in MIME format.

    ------=_NextPart_000_001E_01C6AABB.E1E97F04
    Content-Type: multipart/alternative;
    boundary="----=_NextPart_001_001F_01C6AABB.E1E97F18"


    ------=_NextPart_001_001F_01C6AABB.E1E97F18
    Content-Type: text/plain;
    charset="windows-1252"
    Content-Transfer-Encoding: quoted-printable



    sunshine, overboard honey etymology regimental omission granddaughter =
    shrill was skilled
    cross street persuade, self-righteous duo a unexpectedly casualty the =
    unused shot put supplement penalty box, chart extensively, overseen =
    cranium incubate rosary,. unequally embattled are adornment an electron =
    and crumb champagne sternly water hole erode a ticklish modeling deter =
    eyewitness as an
    hitchhiker finances ongoing the an reconstruct extreme was

  4. #4
    Join Date
    Apr 2006
    Location
    37203
    Posts
    6
    Rep Power
    9

    Default Fwiw

    Here is another one, this had no attachment. But the text was in Bold, Italic, or plain. More spamlike.

    X-Zimbra-Tags:
    X-Zimbra-Flags: au
    X-Zimbra-Received: 1153717859000
    X-Zimbra-Modified: 1153717859000
    X-Zimbra-Conv: -17945

    Received: from localhost (localhost.localdomain [127.0.0.1])
    by mail.ourcompany.com (Postfix) with ESMTP id EE19F9904BB;
    Mon, 24 Jul 2006 00:10:58 -0500 (CDT)

    Received: from mail.ourcompany.com ([127.0.0.1])
    by localhost (mail.ourcompany.com [127.0.0.1]) (amavisd-new, port 10024)
    with ESMTP id 06722-04; Mon, 24 Jul 2006 00:10:58 -0500 (CDT)

    Received: from hlpu (unknown [220.118.137.74])
    by mail.ourcompany.com (Postfix) with SMTP id 589BD9904B9
    for <sclicensing@ourcompany.com>; Mon, 24 Jul 2006 00:10:57
    -0500 (CDT)

    Received: from [220.118.140.196] (helo=hccj)
    by hlpu with smtp (Exim 4.43)
    id 1G4sjx-0008JN-Cv; Mon, 24 Jul 2006 14:12:25 +0900

    Message-ID: <001701c6aedf$8aad21dc$c48c76dc@hccj>
    From: "Tessa Kemp" <arrktbaq@ste-genevieve.com>
    To: <sclicensing@ourcompany.com>
    Subject: induct
    Date: Mon, 24 Jul 2006 14:05:09 +0900
    MIME-Version: 1.0

    Content-Type: multipart/related;
    type="multipart/alternative";
    boundary="----=_NextPart_000_0013_01C6AF2A.FA94C9C4"

    X-Priority: 3
    X-MSMail-Priority: Normal
    X-Mailer: Microsoft Outlook Express 6.00.2900.2670
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2670
    X-Virus-Scanned: amavisd-new at

  5. #5
    Join Date
    Apr 2006
    Location
    Illinois
    Posts
    194
    Rep Power
    9

    Default Bayesian Poison

    That first spam you showed looks like a Bayesian Poisoning email. Essentially, a person marks that as Spam, and if you have Bayesian Filters in place, it weakens the spam conficence, because those are all valid words. Some Bayesian filters are able to handle them, some aren't and you end up having to retrain your spam service because valid emails start to get marked as spam.

  6. #6
    Join Date
    Apr 2006
    Location
    37203
    Posts
    6
    Rep Power
    9

    Default

    So as long as my users just delete the messages then that attempt will fail?

    That's fine because that's what's happening. What method for retraining spam filters do we have with Zimbra?

  7. #7
    Join Date
    Aug 2005
    Location
    San Mateo, CA
    Posts
    4,789
    Rep Power
    19

    Default

    Two things.. First your spam settings could be more aggressive. If you'd have been using our settings those messages would have been tagged/killed.

    Second if user's use the Junk buttons in the webmail client that will automatically train Zimbra.
    Attached Images Attached Images
    Looking for new beta users -> Co-Founder of Acompli. Previously worked at Zimbra (and Yahoo! & VMware) since 2005.

Similar Threads

  1. spam filter creation problem
    By tarunsood in forum Administrators
    Replies: 0
    Last Post: 11-13-2006, 06:05 AM
  2. Weird problem with reply
    By dbo in forum Users
    Replies: 0
    Last Post: 11-08-2006, 09:37 AM
  3. Weird Problem with M3_381
    By Awol in forum Administrators
    Replies: 12
    Last Post: 02-22-2006, 05:07 PM
  4. Spam tagging problem
    By unilogic in forum Installation
    Replies: 1
    Last Post: 11-30-2005, 10:10 PM
  5. LDAP & spam classification problem?
    By phoenix in forum Users
    Replies: 3
    Last Post: 09-30-2005, 12:37 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •